1. Technical Field
The present invention relates to secure wireless communications and, more particularly, to preserving security of a wireless communication during handover.
2. Discussion of Related Art
I. Introduction
Protected Session Keys (SK) management for mobile terminals attached to wireless access networks has become a hot research topic. The term “Session Keys” (SKs) refers to keys that are used to create ciphering keys between an Access Point (AP) and a Mobile Node (MN). This SK could also be named as an Authentication Key (AK). In IEEE groups such as 802.11(r,i)[17], 802.21, and 802.16 (WiMAX) are working with issues to improve support for mobile terminals without sacrificing the security of Mobile Node sessions. The so-called Extensible Authentication Protocol (EAP) working group in the IETF (RFC 3748) is working with key hierarchies and key derivation [2]. The IETF Protocol for carrying Authentication for Network Access (PANA) working group is tackling the issue of mobility optimizations for the PANA protocol [12], 13] and at a high-level is facing the same problem as the other groups. They have all encountered the security problem of using the same SKs with multiple APs. Thus, one of the key issues in the SK management area has been a requirement of having cryptographically separate SKs for every Access Point (AP) [1]. To achieve this, different proposals have emerged. Three existing proposals are analyzed, namely pre-distribution, key-request, and pre-authentication, and they are compared to the new approach of the invention.
The remainder of this background section describes the reference architecture, an analysis is provided of separate SKs used for APs in the context of a handoff process. The three existing proposals for separate session keys for APs are then described.
II. Separate Session Keys for Access Points
A. Reference Architecture
In this specification a simple reference architecture is focused upon, in which a centralized gateway (GW) is connected with multiple APs. This architecture is outlined in FIG. 1. All the APs have a wireless interface towards the wireless MN and a wired (or wireless) interface towards a centralized GW. APs forward packets between the MN and the GW and the wireless MN can be moving between the APs, leading to handoffs. The GW forwards packets to and from the MN to the Internet. The access network has multiple randomly attached MNs. One AP may handle multiple MNs simultaneously. APs under the control of the GW have direct connections via an Ethernet switch for example. Other connections are of course possible and this is but one example. In this specification it is assumed that the traffic protection happens between the MN and the AP, not for example between the MN and the GW. In this way the APs can filter traffic that is not properly authenticated and protect the GW from direct attacks. All SK establishment and distribution mechanisms described in this specification would not be needed if the MN uses the session with the GW to create ciphering keys between them. This would mean that the packets are encrypted and decrypted in the MN and the GW. Also, in such a case the rogue-AP security threat would not be critical because the AP would not be able to decrypt the traffic. On the other hand, integrity protection of the control plane signaling between the MN and the AP would have to be protected or moved from the AP to the GW.
When a wireless MN is changing its attachment point from one AP to another, this change is called a handoff. The new AP is the AP that the MN changes its attachment point to. This AP can also be called the target AP, as it is the target of the handoff process. The old AP is the AP from which the MN switches to the new AP. This AP can also be called the previous AP. The serving AP is the AP that the MN is currently attached to.
The GW has a security association with all the APs (SA1, SA2, SA3) as shown in FIG. 1. These security associations (SA) can be used to encrypt and protect the integrity of data packets to preserve confidentiality of the information between the AP and the GW. Both the MN and the GW have a common Key Root (KR). Usually the KR is formed as a result of an authentication protocol run between the MN and an Authentication Server (AS) that may reside in the Internet or in the GW. This authentication protocol run that is (for example EAP [10]) is out of the scope of this invention and is not described in further detail. Here it is just assumed that the KR has been established. Privacy must be preserved for the MN in such a way that it does not reveal its permanent identity in plain text over the wireless interface. The KR could be used to protect the identity exchange after it has been established, but before that other protection mechanisms must be used, e.g., using public key cryptography to encrypt the permanent identity or using temporary identities. This need not be discussed any further herein.
B. Session Keys
FIG. 2 shows a simplified key hierarchy, where long-term credentials are used to derive a KR based on an authentication signaling. The KR is used to derive SKs for the sessions between a MN and an AP. The SK is a shared secret between the MN and the AP that currently communicates with the MN. The SK is used to create fresh ciphering keys that protect the packets on the wireless link between MN and the respective AP. SK derivation is a process in which a Key Derivation Function (KDF) is used to create new keys from existing keying material. The KDF is typically based on a one-way hash function. An example of the SK derivation function is given below. The assumption here is that the KR is fresh and nonces are not used because the system must be able to derive the keys based on the existing information. Ciphering (session) key derivation would additionally include nonces into the KDF.SKMNx-APi=KDF{KR∥IDAPi∥TIDMNx∥“AP Key”}  (1)
Where
i =index (AP number)SKMNx-APi =Session Key between APi and MNxKDF =Key Derivation FunctionKR =Key RootIDAPi =Public Identity of the APiTIDMNx =Access network specific MNx identifier“AP Key” =Constant stringFrom a security perspective there exists a threat that an AP may have been compromised. A compromised AP is called rogue-AP. To mitigate the threat of a rogue-AP a requirement for SK management has been created [1]. The requirement is that the MN has cryptographically separate SKs with each and every AP it is communicating with on the wireless link. This means that when the MN moves for example from AP1 to AP2, it must change the SK it had with AP1 to a new SK with AP2. Cryptographically separate or independent SKs means that an AP must not be able to derive an SK that was used or will be used in some other AP. Based on the reference architecture and the KR between MN and GW it is assumed that the MN is able to derive AP specific SKs based on the information that the AP is advertising on the access link. At a high level, the KDF is fed with the KR key and AP identity information and the result is a session key that is bound to the AP's identity. This mechanism is called channel binding. The MN needs to know the AP identity to derive the AP specific session key. This typically happens during the handoff. The MN needs to send its identity to the AP, so that AP is able to find the correct key.
Schemes in which the same SKs are transferred from one AP to another must be rejected, because they do not fulfill the security requirement of separated SKs. Key derivation mechanisms between APs and the MN that use public key (asymmetric) cryptography, like AP certificates, fulfill the requirement of SK independence, but typically require heavier computation than symmetric key cryptography (shared secrets). Handoffs are time critical and thus asymmetric cryptography is something that is not considered any further herein for SK creation between MN and an AP.
C. Handoff Considerations with Separate Session Keys
It is possible to derive the target AP specific session key before the handoff if the MN knows the target AP's identity (material needed for the key derivation). This way the key derivation process does not add to the handoff time. On the other hand executing a hash function of a few bytes is very fast. If MN buffers encrypted upstream data and handoff occurs, the new AP is not able to decrypt the upstream packets encrypted for the old AP. This means that the MN must discard the encrypted upstream packets in the buffer and re-encrypt the same packets with the new AP specific SKs. This can however be problematic if there is no other buffer of plain text packets available anymore. In the worst case an upper protocol layer must be informed that the packets were lost. Discarding encrypted upstream packets and re-encrypting them adds to the handoff delay. This problem arises also in uplink soft handovers, where the MN concurrently sends uplink packets to two APs. To overcome this problem the upper-layer must either buffer upstream data without encryption or encrypt them with both old and new AP SKs.
The MN cannot derive an AP specific SK before it gets the AP identity. On the other hand, deriving keys beforehand is not possible if real data protection keys need to be further derived from the AP specific SK based on communication between the MN and the target AP (for example nonce exchanges). In other words, deriving ciphering keys beforehand is not possible if communication between the MN and the target AP is needed, for example nonces exchange. This method to create fresh protection keys is in many cases required to provide replay protection. With separate SKs per AP this threat of replay attack is limited to the scope of a single AP with the same SK. If a fresh nonce can be transferred to the MN together with the AP identity, then the MN has all the required external information to derive SK based protection keys. The MN itself can choose a fresh and random nonce and send it along with the first upstream message to the AP. Now, the only problem is that the new AP can't send encrypted data to the MN without first getting the nonce from it. To overcome this problem, the MN can send its own fresh nonce before the handoff to the network, which then must deliver the nonce to the MN's target AP. This can happen for example during a context transfer from the current AP to the target AP.
Next are described three existing solutions for preserving cryptographically separate SKs for APs serving MNs, first (1) pre-distribution, then (2) key-request and finally (3) pre-authentication.
III. Session Management Mechanisms
This section describes three existing proposals for wireless mobile networks that require separate SKs for each AP. In Kerberos [15] the MN or client uses tickets to authenticate to servers and services. This description concentrates on methods that do not require the MN to carry and transfer keys for the APs.
A. Predistribution
In a pre-distribution [4][8], [17] scheme, as shown in FIG. 3, the GW derives AP specific SKs and distributes them to a number of APs when the MN has successfully attached to the access network. Channel-binding mechanisms are used in AP specific key derivation as described in the section II.A. above describing the Reference Architecture.
The benefit of this approach is that when the MN moves from one AP to another the new AP already has a session key for the MN because it was pre-distributed. This way the AP doesn't have to fetch the key or derive the key, but it needs to find a correct key from its key database (memory). To find a correct key AP needs to know the corresponding identity of the MN. This means that the MN's identity must be communicated to the AP before it is able to find the correct key and prepare the communication channel further. Another drawback is that the MN may never move under an AP that has a session key ready for it. This means that the APs are reserving memory resources even if they never need them. Pre-distribution may happen only for selection of APs near the MN. For this reason if the MN moves out of the pre-distribution area, new keys must be distributed from the GW.
In a rogue-AP situation, in which an attacker has gained access to an AP, it is possible for the attacker to know how many MNs are active in the area or even identify the MNs based on the key names used.
B. Key-Request
In a key-request scenario, such as shown in FIG. 4, the GW is contacted in every handoff. GW acts as an on-request Key Distribution Center (KDC) and delivers an AP specific session derived from the KR. When the MN moves from AP1 to AP2, the MN does a fast re-authentication with the GW through AP2. As a result the AP2 and the MN have a new AP2 and MN specific session key.
This scenario provides just in time, separate and fresh SKs for every AP, but the key derivation and signaling with the GW adds to the handoff delay (break).
C. Pre-Authentication
In a pre-authentication scenario [17], such as shown in FIG. 5, the MN authenticates with multiple APs through a single AP [17], [18], [20]. This way the MN has pre-established SKs with multiple neighboring APs.
When the MN moves from AP1 to AP2 or AP3 the pre-established session key is used. This makes the handoffs very fast since no signaling between AP and GW is needed. Also signaling between new and old APs is unnecessary. When doing pre-authentication, the AS and GW are heavily loaded. The high probability that the MN does not visit all the APs makes this scenario less efficient.